User:Revansx/meza/enterprise installation walk-through

From MediaWiki.org
Jump to navigation Jump to search

MEZA Installation and Configuration Journal[edit]

Notice - I discovered that my RHEL environment has a security policy that asserts a UMASK setting of 077 to my system. This has causes a lot of trouble with my installation process and "meza deploy .. " commands. I will attempt to draw attention to it in my walk through, but, please know that the FIRST thing I do after logging in to my bash shell through PuTTY is to execute the command "Umask 022" to relax the umask setting while I am working. This has to be done at the beginning of every login. .. just fyi

Pre-Install Notes[edit]

  1. Clean RHEL7 system - nothing except what my organization's security team deamed essential
    1. had to ensure that my RHEL7 box was subscribed to the epel repositories that would find git, etc..
  2. configured PuTTy to connect to the server and create a text file log of all console activity
  3. logged in to the server with PuTTy
  4. cd'd to /
  5. ran #sudo yum list installed
  6. saved the putty log file for reference

Meza Install[edit]

  1. performed MEZA install per: https://www.mediawiki.org/wiki/Meza/Install_on_existing_server
    • sudo yum install -y git
    • sudo git clone https://github.com/enterprisemediawiki/meza /opt/meza
    • sudo bash /opt/meza/src/scripts/getmeza.sh
    • sudo meza deploy monolith
      • used my full system host name referred to here as: myhostname.mycompany.com
      • supplied my own password referred to here as mypassword
    • The first time I tried this I did have some issues with the way my systems default "unmask" settings were due to my organizations security requirements, but this was resolved by Meza developers (Thanks James) and the second attempt went perfectly.
  2. Visited my server in the browser at: https://myhostname.mycompany.com
    • Note: it set *everything* including a self-signed cert, so I got the usual warning from my browser.
  3. cleared the putty log and re-ran #sudo yum list installed and saved it for reference
  4. cleared the putty log and ran #netstat -plntu to see what was installed and saved it for reference

SSL Certs[edit]

Working with my organization to install a *valid* cert purchased by my organization

  • Note: discovered that SSL is handled by Meza's load balancer, which is called HAProxy
  • Note: keys are at /opt/conf-meza/secret/monolith/ssl as meza.crt and meza.key
  • my organization uses chain certs (trusted cert -> intermediate cert -> star/wildcard cert
  1. had my server admin generate the certs on the system and named the wildcard/star cert to meza.cert
  2. ran #sudo meza deploy monolith --tags load-balancer
  • this is NOT YET WORKING .. the HAProxy doesn't seem to like the cert chain.. deferring this for now

[edit]

  1. cd'd to: /opt/conf-meza/public/wikis/demo and changed the logo.png file
  2. ran #sudo meza deploy monolith --tags mediawiki --skip-tags smw-data,search-index to re-deploy only what was needed to update the landing page

Adding SAML Auth[edit]

using the instruction here: https://www.mediawiki.org/wiki/Meza/Setup_SAML_authentication

  1. Step 1: Set secret config
    1. run #tr -c -d '0-9a-zA-Z' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo and paste the 32 character output to a scratch pad (notepad or whatever) as the salt code to be used below when needed
    2. run #tr -c -d '0-9a-zA-Z' </dev/urandom | dd bs=16 count=1 2>/dev/null;echo and paste the 16 character output to a scratch pad (notepad or whatever) as the adminpassword to be used below when needed
    3. discovered that /opt/conf-meza/monolith/secret.yml is encrypted, so the solution is provided to me as:
    4. run meza_env=monolith to set the variable meza_env to monolith (my environment)
    5. then run  sudo ansible-vault edit "/opt/conf-meza/secret/$meza_env/secret.yml" --vault-password-file "/opt/conf-meza/users/meza-ansible/.vault-pass-$meza_env.txt" which will de-crypt the file secret.yml automatically launching it in readable text in the infamous "vi" editor.
    6. Now to edit using the vi editor (vi notes)
      1. down arrow to the last character of the end of the and type a which will put you in "insert" mode and allow you to add new lines.
      2. copy the text from the SAML link above into the secret.yml file at the end (control-c to copy it from notepad and right-click to past it into "vi")
      3. cursor up to the line that reads: salt: <output of command from above> and replace the <output of command from above> with the salt code created above in step 1.1
      4. cursor down to the line that reads: adminpassword: <your strong password> and replace <your strong password> with the adminpassword created in step 1.2 above
      5. Type :wq to save and exit vi
      6. exiting vi from the ansible-vault edit command automatically re-encrypts the file
      7. you should now be back at the system cli
  2. Step 2: Set public config
    1. ...

Added more Wikis[edit]

  1. added new wikis using #sudo meza create wiki monolith
    • note: was surprised that this did not create any users, but apparently this is normal
  2. looking in to how to create sysop users.. my hope is to get the SAML e-auth working and have users added automatically by e-auth from my organizations identity provider